The Latest in Cybersecurity Law

The Latest in Cybersecurity Law

These lawsuits and bills may have an impact on your business

Any company that’s online should know what is going on in the world of cybersecurity. With rules and regulations changing by the day, businesses have to make sure they stay compliant and are doing everything they can to protect their sensitive information.

Over the last several months, there have been numerous court cases and proposed pieces of legislation that could affect millions of companies. They touch on three pertinent topics: data access by law enforcement, data breaches, and cybersecurity standards.

Access to data by law enforcement

Carpenter v. the United States

Under the Fourth Amendment, law enforcement is able to get information on a person from a third party – like a telephone company, for example – without requiring a search warrant.

In the pending Carpenter V. United States case, the Supreme Court has to decide if the amendment allows for the seizure and search of cellphone records without a warrant. Because companies now have so much data on so many people, the outcome of this case could end up having a huge impact.

Microsoft v. the United States

Law enforcement had been barred from accessing – with a U.S. search warrant – user data stored overseas. The government insisted that this would hinder investigations and wanted the Supreme Court to overturn this decision.

Microsoft believed that the government didn’t have jurisdiction over data centers located in other countries, or the data they contain. Microsoft also stressed that a Mutual Legal Assistance Treaty could garner the necessary information. This case was recently completed, with SCOTUS ruling in favor of the United States.

The future harm caused by data breaches

CareFirst Inc. v. Attias

In 2014, health insurance company CareFirst suffered a data breach, which resulted in a class action lawsuit, with plaintiffs citing the possibility of future harm from the breach. In 2016, the District Court ruled in favor of CareFirst, but that decision was reversed in 2017.

Now CareFirst has asked the Supreme Court to review the latter ruling. This case is similar to another one – Spokeo v. Robins – which declared “a plaintiff must affirmatively plead particularized and concrete injury to establish Article III [of the Constitution] standing” to determine future harm.

“Everybody v. Equifax”

Late last year, Equifax was hit with a class action lawsuit filed in every state in the U.S. Now, the company is facing another class action suit, this one filed by the Independent Community Bankers of America on behalf of community banks around the country. Similar to the CareFirst case, this one will concern whether or not the threat of future harm from a data breach is “sufficient to establish Article III standing.”

Complying with cybersecurity standards

Ohio Senate Bill 220

This proposed bill would offer businesses protection from lawsuits related to data breaches if they can show that their cybersecurity was up to industry standards. If passed, the bill would safeguard companies as long as they complied with the NIST Cybersecurity Framework and other standards, including those imposed by laws such as FISMA and HIPAA. This Ohio bill could set the stage for additional states enacting similar legislation.

Transparency in the wake of a data breach

Cybersecurity Disclosure Act of 2017

This bill aims “to promote transparency in the oversight of cybersecurity risks of publicly traded companies.” All publicly traded companies would be required to reveal the cybersecurity experience of their board members or general partners. If no one has any experience, the company would need to identify the cybersecurity measures it has taken to find future board members.

Data Security and Breach Notification Act

If passed, a new law would require the Federal Trade Commission to create cybersecurity standards for companies. Its goal is “to protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a breach of security.”

Financial businesses, in particular, have to ensure they’re doing everything right when it comes to cybersecurity. CyberGuard360 can implement the most effective security solutions to keep you safe from any threat and comply with 23 NYCRR 500, New York’s first-in-the-nation cybersecurity law. To learn more about what we offer, please contact us.